On 2025-12-02, Maxim Cournoyer wrote: > "Jodi Jodington (dev)" <[email protected]> writes: >> Dec 1, 2025 12:25:13 PM Vagrant Cascadian <[email protected]>: >>> Admittedly, some of the practices of some of the guix committers >>> make me >>> cringe sometimes, e.g. notably the anti-pattern "just use guix download >>> to get the *right* hash and commit that!" ... so there still is a >>> lot of >>> blind trust going on... >> What would be the correct way to do it? I've always just used guix >> download 😅 > > It's not that bad, it's similar to what we do when we use package > importers that support verifying PGP signatures, and prompt us to > download the missing keys; it's called trust on first use, or TOFU for > short.
I think this is a bit of misapplication of the concept of TOFU, at least in spirit, as each version update resets your TOFU counter to zero in the way you are describing... :) Trust On First Use and Trust On (second) First Use and Trust On (third) First Use (etc.) ... seems like a different model to me. :) > And in some cases (e.g. 'git'), we don't currently have the support to > validate the signatures of PGP signed commits, so it's not like you can > do more than get the hash from 'guix download -g'. I manually verify upstream signed git tags, when possible... and then generate the hash from a checkout of the tag. I also manually verify upstream signed tarballs, when possible. I have not worked with many projects that make a habit of signed commits or use systems like "guix git authenticate" or similar, but obviously that would be good to do for projects doing that. I say "when possible", as I do have trust paths to some projects via my OpenPGP web of trust, or upstream documentation of the appropriate signing keys and key transitions, or in some cases apply Trust On First Use (TOFU) with the signing keys for various projects... I at least glance at the differences in the source code when updating to new versions, which at my skill level would not can any subtle code issues, but might catch some glaring ones, and occasionally catches new licensing issues... It is not possible to do all those checks all the time, but it is at least worth trying, rather than blindly using the hash that guix download spits out... > It'd be nice to add support to check git signatures with 'guix download -g'. Agreed. live well, vagrant
signature.asc
Description: PGP signature
